今天我收到了很多垃圾邮件到我的邮箱,我看了exim4日志,发现了一些可疑的活动.
我想了解这次攻击的服务性,如果我收到垃圾邮件,我可以删除它们并添加一些规则,但我想确定我不是垃圾邮件发送者.
我读了很多这些日志:
- 2016-03-09 07:53:12 1adXzZ-0007sb-Pz <= info@mydomain.com H=([127.0.0.1]) [129.137.152.170] P=esmtpa A=plain: S=1298 id=E10ADF97.F4977D1149D4C689@mydomain.com
- 2016-03-09 07:53:12 1adXzZ-0007sb-Pz no immediate delivery: more than 10 messages received in one connection
- 2016-03-09 08:16:57 1adXzZ-0007sb-Pz => kamikaze_****@hotmail.co.uk R=dnslookup T=remote_smtp H=mx3.hotmail.com [207.46.8.167] X=TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256 CV=no DN="CN=*.hotmail.com" C="250 <E10ADF97.F4977D1149D4C689@mydomain.com> Queued mail for delivery"
- 2016-03-09 08:16:57 1adXzZ-0007sb-Pz Completed
请考虑:
> kamikaze_****@hotmail.co.uk(我为隐私添加了一些星号)不是已知的收件人,这不是我服务器中的邮箱.
>真的应该只允许经过身份验证的用户,在这里我没有找到任何身份验证信息.
>在日志中有一个250和“已完成”,所以似乎没有抛出任何错误.日志的标志是“=>”这意味着传出消息……
这是我的配置:
- accept_8bitmime
- acl_smtp_data = acl_check_data
- acl_smtp_data_prdr = accept
- acl_smtp_mail = acl_check_mail
- acl_smtp_rcpt = acl_check_rcpt
- admin_groups =
- no_allow_domain_literals
- no_allow_mx_to_ip
- no_allow_utf8_domains
- auth_advertise_hosts = *
- auto_thaw = 0s
- av_scanner = sophie:/var/run/sophie
- bounce_return_body
- bounce_return_message
- bounce_return_size_limit = 100K
- callout_domain_negative_expire = 3h
- callout_domain_positive_expire = 1w
- callout_negative_expire = 2h
- callout_positive_expire = 1d
- callout_random_local_part = $primary_hostname-$tod_epoch-testing
- check_log_inodes = 0
- check_log_space = 0
- check_rfc2047_length
- check_spool_inodes = 0
- check_spool_space = 0
- daemon_smtp_ports = smtp
- daemon_startup_retries = 9
- daemon_startup_sleep = 30s
- delay_warning = 1d
- delay_warning_condition = ${if or {{ !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} }{ match{$h_precedence:}{(?i)bulk|list|junk} }{ match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }} {no}{yes}}
- no_deliver_drop_privilege
- deliver_queue_load_max =
- delivery_date_remove
- no_disable_ipv6
- dkim_verify_signers = $dkim_signers
- dns_check_names_pattern = (?i)^(?>(?(1)\.|())[^\W](?>[a-z0-9/_-]*[^\W])?)+(\.?)$
- dns_csa_search_limit = 5
- dns_csa_use_reverse
- dns_dnssec_ok = -1
- dns_retrans = 0s
- dns_retry = 0
- dns_use_edns0 = -1
- no_drop_cr
- dsn_from = Mail Delivery System <Mailer-Daemon@$qualify_domain>
- envelope_to_remove
- exim_group = Debian-exim
- exim_path = /usr/sbin/exim4
- exim_user = Debian-exim
- extract_addresses_remove_arguments
- finduser_retries = 0
- freeze_tell = postmaster
- gecos_name = $1
- gecos_pattern = ^([^,:]*)
- no_gnutls_allow_auto_pkcs11
- no_gnutls_compat_mode
- header_line_maxsize = 0
- header_maxsize = 1048576
- headers_charset = UTF-8
- helo_allow_chars = _
- helo_lookup_domains = @ : @[]
- host_lookup = *
- host_lookup_order = bydns:byaddr
- ignore_bounce_errors_after = 2d
- no_ignore_fromline_local
- keep_malformed = 4d
- no_ldap_start_tls
- ldap_version = -1
- no_local_from_check
- local_interfaces = <; ::0 ; 0.0.0.0
- local_scan_timeout = 5m
- local_sender_retain
- log_file_path = /var/log/exim4/%slog
- log_selector = +smtp_protocol_error +smtp_Syntax_error +tls_certificate_verified +tls_peerdn
- no_log_timezone
- lookup_open_max = 25
- max_username_length = 0
- no_message_body_newlines
- message_body_visible = 500
- message_logs
- message_size_limit = 50M
- no_move_frozen_messages
- no_mua_wrapper
- MysqL_servers = localhost/system/exim/mypassw
- never_users =
- no_perl_at_start
- pid_file_path = /var/run/exim4/exim.pid
- pipelining_advertise_hosts = *
- prdr_enable
- no_preserve_message_logs
- primary_hostname = srv1.mydomain.com
- no_print_topbitchars
- process_log_path = /var/spool/exim4/exim-process.info
- prod_requires_admin
- qualify_domain = mydomain.com
- qualify_recipient = mydomain.com
- queue_list_requires_admin
- no_queue_only
- queue_only_load =
- queue_only_load_latch
- queue_only_override
- no_queue_run_in_order
- queue_run_max = 5
- receive_timeout = 0s
- received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n\t}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} ${if def:tls_cipher {($tls_cipher)\n\t}}(Exim $version_number)\n\t${if def:sender_address {(envelope-from <$sender_address>)\n\t}}id $message_exim_id${if def:received_for {\n\tfor $received_for}}
- received_headers_max = 30
- recipients_max = 0
- no_recipients_max_reject
- remote_max_parallel = 2
- retry_data_expire = 1w
- retry_interval_max = 1d
- return_path_remove
- rfc1413_hosts = @[]
- rfc1413_query_timeout = 0s
- slow_lookup_log = 0
- smtp_accept_keepalive
- smtp_accept_max = 20
- smtp_accept_max_nonmail = 10
- smtp_accept_max_nonmail_hosts = *
- smtp_accept_max_per_connection = 1000
- smtp_accept_queue = 0
- smtp_accept_queue_per_connection = 10
- smtp_accept_reserve = 0
- smtp_banner = $smtp_active_hostname ESMTP Exim $version_number Ubuntu $tod_full
- smtp_check_spool_space
- smtp_connect_backlog = 20
- smtp_enforce_sync
- smtp_etrn_serialize
- smtp_load_reserve =
- smtp_max_synprot_errors = 3
- smtp_max_unknown_commands = 3
- no_smtp_return_error_details
- spamd_address = 127.0.0.1 783
- no_split_spool_directory
- spool_directory = /var/spool/exim4
- sqlite_lock_timeout = 5
- no_strict_acl_vars
- no_strip_excess_angle_brackets
- no_strip_trailing_dot
- syslog_duplication
- syslog_processname = exim
- syslog_timestamp
- tcp_nodelay
- timeout_frozen_after = 1w
- tls_advertise_hosts = *
- tls_certificate = /etc/exim4/exim.crt
- tls_dh_max_bits = 2236
- tls_eccurve = prime256v1
- tls_on_connect_ports = 465
- tls_privatekey = /etc/exim4/exim.key
- no_tls_remember_esmtp
- tls_verify_certificates = ${if exists{/etc/ssl/certs/ca-certificates.crt}{/etc/ssl/certs/ca-certificates.crt}{/dev/null}}
- trusted_groups =
- trusted_users = uucp
- untrusted_set_sender = *
- uucp_from_pattern = ^From\s+(\S+)\s+(?:[a-zA-Z]{3},?\s+)?(?:[a-zA-Z]{3}\s+\d?\d|\d?\d\s+[a-zA-Z]{3}\s+\d\d(?:\d\d)?)\s+\d\d?:\d\d?
- uucp_from_sender = $1
- write_rejectlog
这是PLAIN身份验证器:
